Pangolin is an open-source, identity-based remote access platform built on the high-performance WireGuard VPN protocol. It functions as a zero trust remote access (ZTNA) solution designed for IT administrators, DevOps teams, and security-conscious organizations that need to grant secure, granular access to internal applications and infrastructure. By combining peer-to-peer WireGuard tunnels with a centralized control plane, Pangolin delivers a unified dashboard for managing connectivity across on-premises, cloud, and edge environments. Its core value lies in eliminating the attack surface and complexity of traditional VPNs while providing seamless, policy-driven access that verifies identity and context at every request.
Traditional remote access solutions often rely on open inbound ports, full network-level access, and complex VPN configurations that create security blind spots and operational overhead. Pangolin solves these pain points by enforcing zero trust principles: no device or user is trusted by default, access is granted only to specific applications rather than the entire network, and all connections are authenticated and authorized based on identity and contextual factors such as device posture and location. For teams managing hybrid or multi-cloud infrastructure, this eliminates the need to expose services to the internet, reduces the risk of lateral movement, and simplifies compliance with security frameworks like zero trust.
A key feature of Pangolin is its identity-based access control that integrates with existing identity providers via SSO using Google, Microsoft, and any OAuth2/OIDC provider. Users connect using their corporate identities, eliminating the need for separate credentials or VPN client accounts. Administrators can define policies that enforce identity and context-aware rules, such as allowing access only from managed devices or during business hours. This approach not only streamlines onboarding and offboarding but also provides detailed audit trails of who accessed which resource and when.
Pangolin enables zero trust access to specific applications rather than full network segments. Administrators can expose individual web apps, SSH sessions, RDP desktops, databases, or APIs through a secure tunnel. Users access these resources either via a lightweight client that establishes a peer-to-peer WireGuard connection or directly through a browser for a clientless experience. This application-level segmentation significantly reduces the attack surface and allows granular control over permissions, ensuring that a compromised credential cannot lead to lateral movement across the network.
admin
Deployment is straightforward with Pangolin’s connector component that can be easily deployed behind any firewall. The connector establishes outbound-only connections to the control plane, automatically punching through NATs and firewalls without requiring open inbound ports. This makes it ideal for securing remote access to legacy systems, industrial control equipment, or IoT devices that cannot run a VPN client. Pangolin also supports health checks and load balancing on target resources, ensuring high availability and reliability for critical services.
Pangolin’s architecture centers on a control plane that manages WireGuard tunnels, identity policies, and resource definitions. Connectors, deployed at each site, register with the control plane and forward traffic to designated internal resources. When a user requests access to a resource, the control plane verifies identity, checks contextual policies, and dynamically provisions a secure tunnel between the user’s client and the appropriate connector. This tunnel is encrypted end-to-end using WireGuard, and all data in transit is protected. The unified dashboard provides real-time visibility into active connections, user sessions, and system health.
Concrete use cases include providing secure remote access for managed service providers (MSPs) to individual customer environments without VPN sprawl. Similarly, industrial teams can remotely access PLCs, SCADA systems, and Ignition HMI panels without opening firewall ports. DevOps engineers can use Pangolin to provide developers with browser-based SSH or RDP access to staging servers, and IT teams can enable secure remote support for end-user devices. Outcomes include reduced operational friction, improved security posture, and simplified compliance with regulatory requirements like SOC 2 or HIPAA.
Pangolin targets IT administrators, DevOps engineers, security professionals, and MSPs who manage hybrid infrastructure and need a scalable, secure alternative to traditional VPNs. It supports macOS, iOS, Windows, Linux, and Android clients, and offers both a cloud-hosted platform and a self-hosted option for organizations requiring full data control. Pricing is available on the website, and the open-source community edition is free to use. In summary, Pangolin provides a modern, identity-first approach to remote access that combines WireGuard’s performance with zero trust security, making it a compelling choice for any organization looking to modernize its remote access strategy.
Pangolin is designed for IT administrators, DevOps engineers, security professionals, and managed service providers (MSPs) who manage hybrid, multi-cloud, or edge infrastructure. It is particularly valuable for organizations seeking to replace traditional VPNs with a zero trust remote access model, reduce network attack surface, and enforce granular identity-based policies. Teams handling compliance requirements, such as SOC 2, HIPAA, or PCI, will benefit from Pangolin’s audit trails and microsegmentation. It also suits industrial environments needing secure remote access to PLCs, SCADA, and IoT devices without opening firewall ports.